admin: Add an unlock command
#212
Conversation
|
FWIW I tested this on a current CentOS7 AH by copying You will also need to:
|
|
There is another option - we could provide a gated tool like:
which would ensure correct overwrites. It could even take |
|
Okay, see the above two commits. Right now overlayfs seems like a win, but I want to do more testing before I'm confident in it. |
|
|
||
| <listitem><para> | ||
| OSTree follows a default policy of retaining at most two deployments | ||
| per OS. This option suppresses the default collection of any previous |
There was a problem hiding this comment.
the default collection --> removal?
Ahh, or is it missing the word garbage?
I'm trying to improve the developer experience on OSTree-managed systems, and I had an epiphany the other day - there's no reason we have to be absolutely against mutating the current rootfs live. The key should be making it easy to rollback/reset to a known good state. I see this command as useful for two related but distinct workflows: - `ostree admin unlock` will assume you're doing "development". The semantics hare are that we mount an overlayfs on `/usr`, but the overlay data is in `/var/tmp`, and is thus discarded on reboot. - `ostree admin unlock --hotfix` first clones your current deployment, then creates an overlayfs over `/usr` persistent to this deployment. Persistent in that now the initramfs switchroot tool knows how to mount it as well. In this model, if you want to discard the hotfix, at the moment you roll back/reboot into the clone. Note originally, I tried using `rofiles-fuse` over `/usr` for this, but then everything immediately explodes because the default (at least CentOS 7) SELinux policy denies tons of things (including `sshd_t` access to `fusefs_t`). Sigh. So the switch to `overlayfs` came after experimentation. It still seems to have some issues...specifically `unix_chkpwd` is broken, possibly because it's setuid? Basically I can't ssh in anymore. But I *can* `rpm -Uvh strace.rpm` which is handy. NOTE: I haven't tested the hotfix path fully yet, specifically the initramfs bits.
|
Okay, squashed, and major changes in ⬆️ |
|
One thing I'm uncertain about...should |
| * think we could do this a lot earlier and make all of the mounts | ||
| * here just be relative. | ||
| */ | ||
| orig_cwd_dfd = openat (AT_FDCWD, ".", O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY); |
There was a problem hiding this comment.
missing declaration for orig_cwd_dfd
|
I tried to make a new Rawhide tree with the updated OSTree (after adding the declaration for Failed to switch root: Specified root path /sysroot does not seem to be an OS tree. os-release file is missing. |
|
Blah, was accidentally building without dracut. Will fix. |
|
@giuseppe I suspect that error was actually coreos/rpm-ostree#243 |
| if (fchdir (child_deployment_dfd) < 0) | ||
| exit (EXIT_FAILURE); | ||
| (void) close (child_deployment_dfd); | ||
| if (mount ("overlay", "/usr", "overlay", 0, ovl_options) < 0) |
There was a problem hiding this comment.
GCC complains about ovl_options here (-Wmaybe-uninitialized). Easy fix:
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index d4842fe..846e522 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -1718,9 +1718,6 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
switch (unlocked_state)
{
- case OSTREE_DEPLOYMENT_UNLOCKED_NONE:
- g_assert_not_reached ();
- break;
case OSTREE_DEPLOYMENT_UNLOCKED_HOTFIX:
{
/* Create the overlayfs directories in the deployment root
@@ -1755,6 +1752,9 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
ovl_options = glnx_strjoina ("lowerdir=usr,upperdir=", development_ovl_upper,
",workdir=", development_ovl_work);
}
+ default:
+ g_assert_not_reached ();
+ break;
}
/* Here we run `mount()` in a fork()ed child because we need to useThere was a problem hiding this comment.
Yeah, but then if we later add a new enum member we lose the warning that we're not handling an enum member in switch.
It's too bad gcc can't prove it's initialized here, because it is. But that gets into:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=18501
Anyways I pushed a fixup which initializes to NULL then tells gcc it's not-NULL after the switch.
|
That, and a pile of fixups for the "hotfix" code path. You can see all of my bugs individually! The other thing is I added some bits to drop |
|
Hmm, don't feel strongly either way. I guess I'd vote for the cmdline option so that admins are more conscious of what will happen. Will give this PR a spin now! This should make testing my package-layering stuff much less painful. |
|
Hmm, I can't get |
|
Hum. I'm testing on RHEL7.2 for what it's worth. Are you using Fedora? |
|
Yes, F23. Testing it the proper way now (I was directly overwriting ostree files 😇 ). |
|
Sweet, yes it works. Two things:
Will test this more tomorrow, but I really like it so far. |
|
Or maybe have the Version string be e.g. |
|
I'm not sure what you mean - the overlayfs is mounted and writable after reboot, no? Or are you saying it shouldn't be? I could see that...but allowing "relocking" would introduce a new state into the system... |
Ahh OK, I missed that. Yeah, I think it's fine that way. The simpler the better. BTW, I really like the |
|
Maybe...I think at the moment I really want to get the non-hotfix I suspect for most people the biggest win is a persistent package layering, since you often want something smarter than tarballs for software delivery. |
Agreed! I think both @giuseppe and I gave a 👍 for this during today's meeting. Just putting it here for the record. :) |
|
Awesome, merged to master. Thanks for the review and testing! |
|
Though I should drop in here that I still need to debug "Specifically |
travis: Disable email notifications
I'm trying to improve the developer experience on OSTree-managed
systems, and I had an epiphany (:thought_balloon:) the other day - there's no reason we
have to be absolutely against mutating the current rootfs live. The
key should be making it easy to rollback/reset to a known good state.
This new
unlockcommand implements that by first "dup"ing thecurrent deployment, so you go back to it when rebooting (or with
--hotfix, have it as a rollback target).Next, we use
rofiles-fuseto point the mutable/sysroot/ostree/deploy/.../${thisdeployment}/usrto/usr. Wechoose
/usrsince this way we avoid the immutable bit and prettymuch everything is in
/usranyways.And then everything immediately explodes because the default (at least
CentOS 7) SELinux policy denies tons of things (including
sshd_taccess to
fusefs_t). Sigh.I'm not sure...we could try to load a policy module that allowed this?
Alternatively...we could investigate
overlayfsexcept that itself iscurrently known to be incompatible with SELinux too. Except we don't
need copy-up...